You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Joseph Brennan <br...@columbia.edu> on 2008/04/23 15:27:07 UTC

FROM_LOCAL_HEX fps

I noticed that FROM_LOCAL_HEX scores more often on legit mail than
on spam.  Specifically it hits on Myspace invitations and some type
of group mail from Gmail, which are both common.  It also hits on
a few verp sender addresses from random sites that appear to be
legit, and verp may become common.

I don't have the messages, only syslog entries.  Syslog shows the
envelope sender, but apparently the header From is the same.
Maybe someone else has sample messages for a proper report.

Joseph Brennan
Columbia University Information Technology




Myspace----

204.16.33.77
<04...@message.myspace.com>
<xx...@columbia.edu>
xxxx would like to be added as one of your friends!

Note: 204.16.33.77 is vmta14.myspace.com

Note: Aggravated by also hitting BAD_ENC_HEADER (3.499).  If I recall
correctly, I sent them a report about that a long time ago.  That was
a genuine standards violation that they should fix.



Gmail----

209.85.198.210
<3q...@orkut.bounces.google.com>
<xx...@columbia.edu>
orkut - xxxx xxxx has written you a scrapbook entry

Note: 209.85.198.210 is rv-out-0304.google.com

Note: 'orkut' seems to be the name of a group or list.  There are also
messages with subject like 'orkut - Invitation to join from xxxx'.

Note: Also hits FROM_STARTS_WITH_NUMS (2.302).  The envelope sender
starts with only one digit though-- is the header From different?

Re: FROM_LOCAL_HEX fps

Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.

On 23.04.08 09:27, Joseph Brennan wrote:
> I noticed that FROM_LOCAL_HEX scores more often on legit mail than
> on spam.  Specifically it hits on Myspace invitations and some type
> of group mail from Gmail, which are both common.  It also hits on
> a few verp sender addresses from random sites that appear to be
> legit, and verp may become common.
> 
> I don't have the messages, only syslog entries.  Syslog shows the
> envelope sender, but apparently the header From is the same.
> Maybe someone else has sample messages for a proper report.

> Note: Also hits FROM_STARTS_WITH_NUMS (2.302).  The envelope sender
> starts with only one digit though-- is the header From different?

we've had similar FPs when users sent mail from their mobile phoned via
SMS/MMS - the From: address and local part were their phone numbers which
made them hit. 

I was thinking if I have just to whitelist them, or better make an exception
for those rules/sources (and how)

-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
WinError #98652: Operation completed successfully.